b'              UNCLASSIFIED\n\n     United States Department of State\n   and the Broadcasting Board of Governors\n       Office of Inspector General\n\n\n\n\n Memorandum Report\n\nInformation Security Program Evaluation\n\n\n\nReport Number IT/A-02-06, September 2002\n\n\n\n\n             UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n\n\n                            MEMORANDUM REPORT IT-A-02-06\n\n                           Information Security Program Evaluation\n\n                                              September 2002\n\nIn response to the Government Information Security Reform Act (GISRA),1 the\nOffice of Inspector General (OIG) performed an independent evaluation of the\ninformation security program and practices of the Department of State (Depart-\nment). GISRA provides: (1) a comprehensive framework for establishing and\nensuring the effectiveness of controls over information resources; and (2) a mecha-\nnism for improved oversight of federal agency information security programs. The\nobjective of the review was to determine whether the Department is effectively\nimplementing key requirements of GISRA, including those areas pertaining to\noverall information technology (IT) security management and IT security risk\nmanagement. The purpose, scope, and methodology for this review are discussed\nin appendix A.\n\n\n\nRESULTS IN BRIEF\nOIG\xe2\x80\x99s evaluation of the effectiveness of the Department\xe2\x80\x99s information security\nprogram found several key areas of security that still require management attention.\nSpecifically, OIG concluded that the Department has made slow progress in ad-\ndressing information security weaknesses identified in OIG\xe2\x80\x99s September 2001\nGISRA report.2 In response to the report, the Department developed a strategy to\naddress a key deficiency: the lack of certification and accreditation of its informa-\ntion systems. However, the Department has not developed a timetable for certifi-\ncation and accreditation of all systems, and as of August 2002, only four percent\nof its systems had been certified and accredited. Further, according to OIG\xe2\x80\x99s\nsurvey questionnaire, although 72 percent of the Department\xe2\x80\x99s 358 systems are\nreported to have security-level determinations, only 15 percent are reported to have\nsecurity plans.\n\n    In addition, in FY 2002, OIG reported on information security vulnerabilities\nthrough its reviews of key information management programs. For example, in its\n1\n    Public Law 106-398, Div. A, Title X, Subtitle G.\n2\n Senior Management Attention Needed to Ensure Effective Implementation of the Government Information Security Reform Act\n(Report Number 01-IT-M-082, September 2001).\n\nOIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002                                         1 .\n\n                                           UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\n      February 2002 report3 on the Classified Connectivity Program (CCP), a project to\n      implement classified processing capability at overseas missions, OIG reported that\n      the Department has not developed a definitive strategy for managing the security\n      risks of its CCP deployments. Specifically, OIG reported that the Department had\n      not completed the steps needed to certify and accredit the classified Windows NT\n      LAN in accordance with federal requirements.\n\n          Finally, at overseas missions, OIG found significant weaknesses in information\n      security management. Specifically, OIG determined that the information systems\n      security officers (ISSO) generally were not performing all the requisite duties of the\n      position. In addition, none of the 11 missions that OIG visited had developed\n      information systems security plans. Further, OIG found deficiencies in manage-\n      ment, technical and operational controls, thus increasing the risk to mission opera-\n      tions.\n\n          This report presents the results of OIG\xe2\x80\x99s audit work in assessing the security\n      over the Department\xe2\x80\x99s information technology resources. Recommendations OIG\n      made to correct the deficiencies identified in this evaluation either were made in\n      prior reports or will be made in reviews currently underway. Therefore, no recom-\n      mendations are made in this report.\n\n\n\n      BACKGROUND\n      Information security is an important goal for any organization that depends on\n      information systems and computer networks to carry out its mission. The dramatic\n      expansion in computer interconnectivity and the rapid increase in the use of the\n      Internet are changing the way the government, nation, and much of the world\n      communicate and conduct business. However, without proper safeguards, these\n      developments pose enormous risks that make it easier for people and groups with\n      malicious intent to intrude into inadequately protected systems and use such access\n      to obtain sensitive information, commit fraud, disrupt operations, or launch attacks\n      against other computer networks and systems. Further, the number of people with\n      computer skills is increasing, and intrusion techniques and tools are readily avail-\n      able and relatively easy to use.\n\n         Computer-supported government operations, including those at the Depart-\n      ment, are also at risk. Previous General Accounting Office (GAO), OIG, and\n      Bureau of Diplomatic Security (DS) reports have identified persistent computer\n      3\n          Classified Connectivity Program: Progress and Challenges (Report Number IT-A-02-01, February 2002).\n\n\n2 .                               OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002\n\n\n                                          UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\nsecurity weaknesses that place a variety of critical and mission-essential Depart-\nment operations at risk of disruption, fraud, and unauthorized disclosure. The\nDepartment recognizes that much more must be done to develop fully and ensure\ncontinuity of its systems security program.\n\n    Faced with growing concerns about information security risks to the federal\ngovernment, the Congress passed and the President signed GISRA into law in late\n2000. GISRA provides: (1) a comprehensive framework for establishing and\nensuring the effectiveness of controls over information resources that support\nfederal operations and assets; and (2) a mechanism for improved oversight of\nfederal agency information security programs. Specifically, GISRA requires agen-\ncies to:\n\xe2\x80\xa2   identify, use, and share best security practices;\n\xe2\x80\xa2   develop an agency-wide information security plan;\n\xe2\x80\xa2   incorporate information security principles and practices throughout the life\n    cycles of the agency\xe2\x80\x99s information systems; and\n\xe2\x80\xa2   ensure that the information security plan is practiced throughout all life cycles\n    of the agency\xe2\x80\x99s information systems.\n     In addition, GISRA assigns the agency\xe2\x80\x99s Chief Information Officer (CIO) the\nauthority and responsibility to administer key functions under the statute, includ-\ning:\n\xe2\x80\xa2   designating a senior agency information security official who reports to the\n    CIO;\n\xe2\x80\xa2   developing and maintaining an agency-wide information security program;\n\xe2\x80\xa2   ensuring that the agency effectively implements and maintains information\n    security policies, procedures, and control techniques; and\n\xe2\x80\xa2   training and overseeing personnel with significant responsibilities for informa-\n    tion security.\n    Finally, in addition to a number of other provisions, GISRA requires each\nagency to have performed an independent evaluation of its information security\nprogram and practices. The OIG or the independent evaluator performing a review\nmay use any audit, evaluation, or report relating to the effectiveness of the agency\xe2\x80\x99s\ninformation security program to do so. The agency is required to submit the\nindependent evaluation, along with its own assessment, to the Office of\nManagement and Budget (OMB) as part of its annual budget request.\n\n\n\n\nOIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002       3 .\n\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n      OVERVIEW OF THE DEPARTMENT\xe2\x80\x99S MANAGEMENT APPROACH\n      TO INFORMATION SECURITY\n      The Department provided an overview of its management approach to information\n      security in its FY 2001 Systems Security Program Plan (SSPP) issued in May 2001.\n      The SSPP, which was first developed by the CIO and then issued to the Depart-\n      ment, has not been revised to address the GISRA requirements and the more recent\n      changes and delegations of authority within the Department. However, the SSPP\n      does establish a baseline for the Department to build upon in organizing its infor-\n      mation security program. It identifies the authorities and fundamental principles\n      guiding IT security in the Department, outlines the IT roles and responsibilities of\n      the Department\xe2\x80\x99s bureaus, and briefly addresses the strategies for achieving and\n      maintaining a desirable IT security posture for the Department. The SSPP applies\n      to all classified, unclassified, and sensitive but unclassified systems throughout the\n      Department, its domestic bureaus, offices, annexes, and missions worldwide.\n\n\n\n      REVIEW FINDINGS\n      Slow Progress in Addressing FY 2001 GISRA\n      Report Findings\n\n          The Department has made slow progress in addressing the information security\n      deficiencies identified in OIG\xe2\x80\x99s September 2001 GISRA report.4 OIG reported\n      that, according to its system survey, nearly 70 percent of the Department\xe2\x80\x99s systems\n      were reported to have security level determinations, while only ten percent were\n      reported to have security plans, and only five percent were reported to have been\n      certified and accredited. OIG recommended that the Department develop a\n      strategy and timetable for ensuring that all of the Department\xe2\x80\x99s systems and appli-\n      cations address each of the key GISRA system security elements.\n\n          In response, DS and the Bureau of Information Resource Management (IRM)\n      developed a strategy aimed at implementing the National Information Assurance\n      Certification and Accreditation Process (NIACAP) across the Department, includ-\n      ing quick and efficient certification and accreditation of all Department systems,\n      networks, applications, domains, and sites. The strategy identifies five major areas\n      (education, documentation, applications, sites, and remediation) that need to be\n\n      4\n          Senior Management Attention Needed (Report Number 01-IT-M-082, September 2001).\n\n\n4 .                            OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002\n\n\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\naddressed in order to implement NIACAP. However, the Department has not\ndeveloped a timetable for certification and accreditation of all systems, and as of\nAugust 2002, only four percent of its systems had been certified and accredited.\nTo its credit, as part of OpenNet Plus5 implementation, the Department has made\nprogress in assessing information security at missions and bureaus through its\nConnection Approval Process (CAP). So far, 23 bureaus and about 141 missions\nhave had independent verification and validation (IV&V) of their respective IT\ninfrastructures, which measures the extent to which each site complies with the\nDepartment\xe2\x80\x99s IT security configuration. Missions must show that they comply with\nexisting security standards prior to receiving internet web services from OpenNet\nPlus. As of September 3, 2002, 20 bureaus and 84 missions have cleared IV&V\nrequirements, and are connected to OpenNet Plus. According to DS and IRM,\nIV&V will provide a baseline for future efforts aimed at full certification and\naccreditation.\n\n    In addition, OIG reported that the Department has not developed information\nsecurity performance measures to support strategic goals. Performance measures\nare key requirements of both the Government Performance and Results Act\n(Public Law 103-62) and GISRA. OIG recommended that the CIO ensure that\nprogram managers develop and use performance measures in support of the\nDepartment\xe2\x80\x99s information systems security program. In August 2002, the CIO\nissued the Department\xe2\x80\x99s FY 2003 Information Assurance Performance Measures\nPlan, and requested that all bureaus and missions implement procedures for collect-\ning and submitting data in accordance with the plan. The CIO directed that collec-\ntion of data should begin no later than October 1, 2002.\n\nDepartment Information Security Weaknesses\nIdentified in OIG Evaluations\n\n    In FY 2002, OIG reported on information security vulnerabilities through its\naudits of key information management programs. Specifically, OIG identified\nweaknesses in the management of information security in several information\nmanagement programs. Also, in May 2002, OIG notified DS and IRM of a security\nvulnerability involving the fielding of OpenNet Plus. Finally, OIG noted that the\nDepartment has not addressed weaknesses in its critical infrastructure protection\nprogram.\n\n\n\n5\n OpenNet Plus is the Department\xe2\x80\x99s program to provide worldwide desktop Internet access to its em-\nployees.\n\n\nOIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002                  5 .\n\n                                       UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n\n      Information Security Issues in OIG Audit\n      Reports\n\n          OIG identified additional weaknesses in the Department\xe2\x80\x99s management of\n      information security in its reports on three different information management\n      programs: Munitions Controls Systems, Classified Connectivity Program (CCP); and\n      Central Financial Management System (CFMS). In March 2002,6 OIG reported\n      that the Office of Defense Trade Controls (DTC) had not obtained an up-to-date\n      determination of the level of security required to protect its export licensing\n      system and the proprietary munitions license data that it supports. In addition,\n      OIG reported that the DTC\xe2\x80\x99s information assurance strategy has been one of risk\n      avoidance; that is, remaining isolated to eliminate the potential for unauthorized\n      access or malicious intrusion, rather than prioritization and risk management. OIG\n      recommended that DTC assess the security risks of the munitions exports licensing\n      process and develop and implement an information security strategy to manage\n      those risks effectively.\n\n          Further, in its February 2002 report7 on the CCP, a project to implement classi-\n      fied processing capability at overseas missions, OIG reported that the Department\n      has not developed a definitive strategy for managing the security risks of its CCP\n      deployment. Specifically, OIG reported that the Department had not completed\n      the steps needed to certify and accredit the classified Windows NT LAN in accor-\n      dance with federal requirements. Lacking certification, there is no central oversight\n      or in-depth assessments to identify technical or environmental security risks for the\n      CCP program. And, lacking accreditation, there is also no formal acceptance or\n      accountability for managing those risks by site managers or chiefs of mission. OIG\n      also reported that the Department\xe2\x80\x99s IT contingency planning efforts have not been\n      adequate to help safeguard classified information systems and the critical business\n      functions they support should unexpected disruptions occur at overseas missions.\n      The report estimated that as many as 85 to 90 percent of the missions lack such\n      plans.\n\n          Finally, in a May 2002 assessment8 of CFMS, OIG reported that while the\n      application functioned in a reasonably secure manner, weaknesses9 in the\n      Department\xe2\x80\x99s supporting IT infrastructure increased the risk that unauthorized\n      users could gain access to the system. OIG made a number of recommendations to\n      improve IT infrastructure security.\n      6\n       Streamlined Processes and Better Automation Can Improve Munitions License Reviews (Report Number IT-A-02-02,\n      March 2002).\n      7\n          Classified Connectivity Program (Report Number IT-A-02-01, February 2002).\n      8\n       Information Technology Vulnerability Assessment for the Central Financial Management System (Report Number\n      AUD/FM-02-15).\n\n6 .                              OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002\n\n\n                                         UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\nOpenNet Plus Security Vulnerability\n\n    In May 2002, OIG notified IRM and DS of a security vulnerability concerning\nthe fielding of OpenNet Plus10 throughout the Department. OIG suggested that\nthe two bureaus determine whether the vulnerability could be fixed or, if not,\nconduct a risk assessment and make a risk management decision about OpenNet\nPlus implementation. DS responded in a June 2002 memorandum to OIG, which\nwas not cleared through IRM, suggesting there was no vulnerability, and even if\nthere was, IRM had made a risk management decision to go forward. Subsequently,\nIRM issued a Department notice reminding employees that they should not down-\nload software from the Internet that has not been approved by the IT Change\nControl Board. As of September 2002, however, IRM had not developed a techni-\ncal solution to this problem, or decided to accept the risk that this vulnerability\npresents to OpenNet Plus. Further, IRM had not notified the Department\xe2\x80\x99s sys-\ntems administrators and ISSOs of this vulnerability and the risk it may pose to\nDepartment operations.\n\nCritical Infrastructure Program Weaknesses\nRemain\n\n     The Department has not addressed weaknesses in its critical infrastructure\nprotection program, which OIG discussed in a June 2001 report.11 The report\nassesses the Department\xe2\x80\x99s progress in developing and implementing its cyber-based\ncritical infrastructure protection plan, as mandated by Presidential Decision Direc-\ntive 63. The OIG report contains a number of recommendations to strengthen the\nDepartment\xe2\x80\x99s approach to critical infrastructure protection planning, including:\n\xe2\x80\xa2       assessing the vulnerability of the Department\xe2\x80\x99s foreign operations to cyber-\n        based disruptions;\n\xe2\x80\xa2       scheduling and conducting security controls evaluations of all minimum-\n        essential cyber infrastructures at least once every three years; and\n\xe2\x80\xa2       ensuring that subsequent critical infrastructure protection plans and vulner-\n        ability assessments address minimum-essential interagency infrastructure\n        vulnerabilities.\n        The Department has not addressed these recommendations, in part because its\n\n9\n    The specific details of these security weaknesses are classified.\n10\n     The specific details of this vulnerability are classified.\n11\n  Critical Infrastructure Protection: The Department Can Enhance Its International Leadership and Its Own Cyber Security\n(Report Number 01-IT-R-044, June 2001).\n\nOIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002                                         7 .\n\n                                             UNCLASSIFIED\n\x0c                                 UNCLASSIFIED\n\n\n\n      critical infrastructure planning has been in a state of flux. Specifically, in February\n      2002, the Under Secretary for Management established a formal Department-wide\n      critical infrastructure protection program that is to be managed and provided with\n      resources over a multiyear planning period. It is to be aligned with the\n      Department\xe2\x80\x99s budget and planning process in order to achieve key objectives for\n      domestic and overseas operations. In addition, the Under Secretary assigned lead\n      responsibility for formulation and execution of the Department-wide critical\n      infrastructure protection program to the Assistant Secretary for Resource Manage-\n      ment. Subsequently, in April 2002, the Assistant Secretary for Resource Manage-\n      ment established the Tier One Governance Board, which is comprised of senior\n      managers who are responsible for the Department\xe2\x80\x99s infrastructure. The board is\n      supposed to facilitate the decision making process on policy and priorities related\n      to critical infrastructure protection objectives.\n\n      Mixed Results from OIG\xe2\x80\x99s Information Security\n      Management Questionnaire\n\n          OIG developed two data collection surveys to determine general information\n      about the Department\xe2\x80\x99s information security program. The first questionnaire\n      identified the universe of systems operating throughout the Department. It also\n      obtained information on IT security plans, assessments, and determinations as\n      required by OMB guidance, prior information security laws, and GISRA.\n\n          Specifically, the first questionnaire requested information on the following:\n      \xe2\x80\xa2   Risk assessments. The identification and analysis of possible risks in\n          meeting the agency\xe2\x80\x99s objectives, which form a basis for managing the risks\n          identified and implementing deterrents.\n      \xe2\x80\xa2   Security-level determinations. Assessments that identify the specific\n          security levels that should be maintained for IT systems hardware, software,\n          and the information maintained or processed on systems.\n      \xe2\x80\xa2   System security plan. A written plan that clearly describes the bureau or\n          mission security program, as well as the policies and procedures that support\n          it. The plan and related policies should include all major systems and facili-\n          ties and outline the duties of those who are responsible for overseeing secu-\n          rity as well as those who own, use, or rely on the entity\xe2\x80\x99s computer resources.\n      \xe2\x80\xa2   Certification and accreditation. Attestations that an information system\n          meets documented security requirements and will continue to maintain the\n          approved security posture throughout its lifecycle.\n\n\n\n8 .                       OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002\n\n\n                                 UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n  \xe2\x80\xa2   Tests of security controls. Assessments of controls designed to protect\n      computer facilities, computer systems, and data stored on computer systems\n      or transmitted via computer networks from loss, misuse, or unauthorized\n      access.\n      According to OIG\xe2\x80\x99s survey results, the Department identified 358 systems and\n  applications. Further, the survey indicated that there is significant room for im-\n  provement in information security management throughout the Department. As\n  Table 1 shows, bureaus reported that 72 percent of their applications had security-\n  level determinations. However, bureaus also reported that only four percent of\n  their applications are certified and accredited, and only 15 percent of applications\n  have security plans. (See appendix B for detailed survey results.)\n\n  Table 1: Department Survey Results on Key Information Systems Security\n  Elements\n\n\nSystem Requirement                                                     Number              Percentage\n\n\nRisk Assessment                                                           201                 56\nSecurity-Level Determination                                              257                 72\nSecurity Plan                                                              53                 15\nCertified and Accredited                                                   16                  4\nTested Security Controls                                                  164                 46\n\nNote: A total of 358 systems and major applications reported in OIG\xe2\x80\x99s department survey.\n\n\n      The second questionnaire highlighted five of the Department\xe2\x80\x99s major informa-\n  tion systems. OIG selected these systems based on their importance to the Depart-\n  ment in the areas of human resources, inventory management, financial manage-\n  ment, public diplomacy, and classified information processing. The questions\n  pertained to management and operational controls. More specifically, they focused\n  on security control reviews, personnel security, contingency planning, data integrity,\n  security awareness, training, education, and incident response capabilities.\n\n      Overall, the second questionnaire and follow-up results were mixed. As shown\n  in Table 2, bureaus reported that 60 percent of the systems had tested security\n  controls, but only 20 percent of the systems had a documented risk assessment.\n  Also, bureaus reported that only 20 percent of the systems have a security plan in\n  place, and no system in the OIG sample was certified and accredited.\n\n\n\n\n  OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002                    9 .\n\n                                         UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n            Table 2: Major Information Systems Survey Results\n\nSystem                                        Risk              Security       Security        Certified  Tested\n                                           Assessment            Level          Plans            and     Security\n                                                              Determined                      Accredited Controls\n\n\nClassified Network                               No                No             No              No            No\n\nGlobal Employment Management System              No               Yes             No              No            Yes\n\nLogistics Management Information System          No               Yes             Yes             No            Yes\n\nPublic Diplomacy Network                         No               Yes             No              No            No\n\nRegional Financial Management System            Yes                No             No              No            Yes\n\n\n                On a more positive note, Table 3 shows that all five systems have a trained\n            ISSO assigned, and all five systems have automatic virus detection. However, the\n            table also shows that only two of the five systems have contingency plans devel-\n            oped and updated and only one system has a documented IT system security self-\n            assessment.\n\n            Table 3: Major Information Systems Survey Results\n\n System                                         Trained         Contingency         Automatic         Security\n                                                 ISSO              Plans              Virus             Self-\n                                                                 Developed          Detection       Assessments\n                                                                and Updated\n\n\n Classified Network                               Yes                No                 Yes               Yes\n\n Global Employee Management System                Yes                Yes                Yes               No\n\n Logistics Management Information System          Yes                Yes                Yes               No\n\n Public Diplomacy Network                         Yes                No                 Yes               No\n\n Regional Financial Management System             Yes                No                 Yes               No\n\n\n            OIG\xe2\x80\x99s detailed review of each of these systems revealed the following:\n\n            Classified Network (ClassNet)\n\n                ClassNet, managed by IRM, is the Department\xe2\x80\x99s major classified information\n            processing network. Although the bureau reported that ClassNet is certified and\n            accredited, OIG\xe2\x80\x99s evaluation found that the system does not have a documented\n            risk assessment, security plan, or tested security controls. Without these key\n            information security elements in place the system cannot meet the requirements for\n\n\n\n10 .                           OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002\n\n\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\ncertification and accreditation under NIACAP. IRM has made progress in strength-\nening ClassNet information security through the development of a draft document\ndescribing its critical operations and a draft backup and recovery plan.\n\nGlobal Employee Management System (GEMS)\n\n    GEMS, managed by the Bureau of Human Resources (HR), is the primary\nDepartment personnel and human resource management system. Although OIG\nfound considerable information security documentation in place for GEMS, includ-\ning a contingency plan and administrator manuals, the documentation does not\nmeet the systems security plan requirements cited in OMB Circular A-130. Fur-\nther, OIG determined that neither a formal risk assessment nor a self-assessment\nof the system in accordance with NIST guidelines had been completed. Although\nHR completed the risk assessment section of its OMB Capital Asset Plan for the\nDepartment\xe2\x80\x99s FY 2003 budget submission, the information was not supported by\nan information security assessment.\n\nLogistics Management Information System\n(LMIS)\n\n    LMIS, managed by the Bureau of Administration, is a comprehensive logistics\nmanagement system. OIG\xe2\x80\x99s detailed review of LMIS showed that although an\ninformal risk assessment for LMIS had been conducted, it did not satisfy either the\nNIST or OMB Circular A-130 guidance. Also, OIG found that no self-assessment\nhad been completed for the system and that although there was a security plan in\nplace, it had not been updated since 1998. Security plans should be updated when\nany major change is made to the system or at least once every three years during its\nusable life.\n\nPublic Diplomacy Network (PDNet)\n\n    PDNet, jointly managed by the Bureau of Educational and Cultural Affairs and\nthe Office of International Information Programs, is the Department\xe2\x80\x99s primary\nnetwork for public diplomacy activities. PDNet also provides users with Internet\naccess. This system had been off-line for several months during FY 2001 following\na successful hacker attack. OIG found minimal information security documenta-\ntion in place and determined that no risk assessment or self-assessment had been\nconducted. In addition, bureau officials reported in a draft business continuity plan\nthat the ability to recover fully and instantaneously, while desirable, is not possible\n\n\n\nOIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002        11 .\n\n                                       UNCLASSIFIED\n\x0c                                 UNCLASSIFIED\n\n\n\n       because of funding constraints. Further, the plan states that disaster recovery\n       would use off-site tape backups that would have to be recovered on another\n       network, which does not exist at this time.\n\n       Regional Financial Management System (RFMS)\n\n           RFMS, managed by the Bureau of Resource Management, is a major financial\n       management system currently under development. OIG selected this system for\n       further review because GISRA requires that the agency information security plan\n       be practiced throughout the system development life cycle, including initial devel-\n       opment. OIG found that the bureau developed and submitted draft certification\n       and accreditation documentation for precertification review. Also, the bureau has\n       developed appropriately the required information security items, such as business\n       case and mission statements, system specifications and designs, a configuration\n       management plan, system administrator manuals, and a system security authoriza-\n       tion agreement.\n\n\n\n       INFORMATION SECURITY MANAGEMENT DEFICIENCIES AT\n       OVERSEAS MISSIONS\n       OIG evaluated information security management at 11 missions during FY 2002.\n       OIG found that the Department\xe2\x80\x99s ISSO program was not meeting its objectives and\n       that no mission visited had developed a mission-wide information systems security\n       plan. In addition, OIG\xe2\x80\x99s technical evaluation identified significant weaknesses in\n       mission information security management, technical and operational controls.\n\n       ISSO Program Weaknesses\n\n           At sites visited, OIG found that ISSOs generally are not performing all the\n       requisite duties of the position. The Department\xe2\x80\x99s increasing dependence on\n       information systems has created the need to ensure that IT system assets, including\n       hardware, software, and the information they process, are protected from actions\n       that could jeopardize the ability of employees to perform official duties. Although\n       much of the responsibility for securing information and IT system assets has been\n       placed with the ISSO, in most instances, these duties are assigned on a collateral\n       basis and are not the primary duties of the individual designated as the ISSO.\n       Instead, under the Department\xe2\x80\x99s 12 FAM 600 guidance, administrative officers at\n       missions have assigned the responsibilities and associated duties to Foreign Service\n\n\n12 .                      OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002\n\n\n                                 UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\npersonnel whose primary positions are found in the information management,\nregional security, engineering security, and other offices. The collateral nature of\nthese assignments reduces the time available to perform ISSO duties because the\nincumbents view them as secondary. Also, designating information management\nand information systems staff as ISSOs may hinder the ability to have independent\nmonitoring and checking of both systems management and operations.\n\n    At nine of the eleven missions visited, OIG found that ISSOs were not fulfill-\ning adequately their administrative, physical, personnel, system, and technical\nresponsibilities. At one mission, for example, the designated ISSO had perma-\nnently departed, the alternate ISSO was performing none of the ISSO duties and\nno records existed to show what the previous ISSO had done. At another mission,\nthe ISSO had run the Department\xe2\x80\x99s preferred analysis program once in a 12-month\nperiod, creating a six-inch stack of paper that was never completely analyzed.\nThese analyses should be performed as frequently as determined appropriate for\nthe specific mission, but not less than quarterly. In all instances, the incumbent\nISSOs made the point that their designation and the associated collateral duties\nwere secondary to their primary assignment. In one instance, an ISSO identified a\nserious problem at the mission concerning the processing of classified information\non unclassified systems and was subsequently counseled about the time taken away\nfrom the ISSO\xe2\x80\x99s usual duties supporting IT operations.\n\nLack of Information Security Plans at Missions\n\nOIG found that none of the missions visited had developed a mission-wide infor-\nmation systems security plan. DS recommends that ISSOs develop individualized\nsecurity plans to carry out 12 FAM 600 policies and procedures overseas. At a\nminimum, these plans should describe:\n\xe2\x80\xa2   the mission\xe2\x80\x99s systems, including their names, purpose, location, who will be\n    using them, and type of equipment, including peripherals and network con-\n    nections;\n\xe2\x80\xa2   the type of information to be processed and stored, including the sensitivity\n    level;\n\xe2\x80\xa2   the system staff and designated security responsibilities;\n\xe2\x80\xa2   vulnerabilities and threats to the mission\xe2\x80\x99s IT systems;\n\xe2\x80\xa2   the security incident reporting chain; and\n\xe2\x80\xa2   specific measures to reduce IT system risks.\n\n\n\nOIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002     13 .\n\n                                       UNCLASSIFIED\n\x0c                                 UNCLASSIFIED\n\n\n\n           The lack of security planning at the missions is, in part, the result of insuffi-\n       cient guidance from the Department and a general belief at missions that IT infor-\n       mation security is less important than other elements of security. Officials told\n       OIG that developing a mission-wide security plan was unlikely because informa-\n       tion management staff were overburdened with the mission\xe2\x80\x99s immediate technical\n       and operational concerns. In addition, information management staff told OIG\n       that the mission\xe2\x80\x99s culture tended to prioritize physical security, customer service\n       and other business issues before IT information security.\n\n           To address this problem, DS has developed draft site Systems Security Authori-\n       zation Agreement templates for both the sensitive-but-unclassified and classified\n       processing environments. This template, once completed by a mission, will be the\n       single source for all information pertaining to the certification and accreditation\n       process of a mission or bureau. DS plans to implement this template in October\n       2002.\n\n       Results Of Mission Information Security\n       Technical Evaluations\n\n           OIG found significant weaknesses in the Department\xe2\x80\x99s management, technical\n       and operational controls at missions visited during FY 2002. These weaknesses\n       resulted from improperly configured systems, inadequate testing of controls, and, in\n       some instances, inadequate understanding of the interrelationships of controls and\n       the corresponding system. Thus, at 11 missions visited, IT information systems\n       could be compromised through a variety of means that exploited the existing\n       controls.\n\n           Controls improve the security of a particular system or group of systems. They\n       often require technical or specialized expertise as well as rely upon management\n       activities. Management controls include techniques and measures that focus on\n       the oversight of the IT security systems and the management of risk for a specific\n       system. Technical controls are controls that are automated and rely on technical\n       expertise to implement. These controls can provide automated protection against\n       unauthorized access or misuse, facilitate detection of security violations, and\n       support security requirements for applications and data. The focus of operational\n       controls is those controls implemented and executed by people.\n\n           Table 4 below highlights weaknesses identified during OIG\xe2\x80\x99s technical evalua-\n       tions and associates the weaknesses with three key issue areas that are the founda-\n       tion of the Department\xe2\x80\x99s approach to IT risk management, and are necessary to\n       protect mission operations from disruption. Weaknesses in system security proce-\n\n\n14 .                      OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002\n\n\n                                 UNCLASSIFIED\n\x0c                                                     UNCLASSIFIED\n\n\n Table 4: Technical Evaluation Summary: Weaknesses in Mission Information Security\n                                                             CONTROL AREAS\n\n                                     Management Controls               Technical Controls          Operational Controls\n\n              Password and           Inadequate training               Lack of password            Inadequate process for review\n              Account                                                  and account management      of password development\n              Management             Inadequate enforcement            plan\n                                     of standardized requirements                                  Inadequate compliance with\n                                                                       Inadequate control for      FAM guidance on password\n                                     Inadequate separation of duties   system security account     development\nISSUE AREAS\n\n\n\n\n                                     in account establishment          manager\n\n              Configuration          IT configuration management       Servers and workstations    Centralized asset\n              and Change             process, including change         not in compliance with      management insufficient\n              Control                control not implemented           Department standards\n              Management\n\n\n              Documentation          No entity-wide security plans     No standard approach for    No Department guidance\n                                                                       implementing and managing   that establishes minimum\n                                     No documented risk                systems                     security requirements\n                                     assessments and other key\n                                     documentation\n\n\n\n\n              dures, if exploited, can cause damage to hardware components, software applica-\n              tions and the information on the system. For example, as a result of inadequate\n              password management, the system could be exploited through penetration or\n              impersonation, and IT information resources could be used for unauthorized\n              purposes or to launch attacks.\n\n\n\n              DEPARTMENT COMMENTS\n              OIG discussed the contents of this report with Department officials on August 28,\n              2002. Generally, these officials agreed with the issues presented, and noted that\n              there is mutual agreement that additional efforts must be made to implement a\n              comprehensive information security program.\n\n\n\n\n              OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002                                15 .\n\n                                                     UNCLASSIFIED\n\x0c              UNCLASSIFIED\n\n\n\n\n16 .   OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002\n\n\n              UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n                                                                                     Appendix A\n\n\n\nPURPOSE, SCOPE, AND METHODOLOGY\nSection 3535 of GISRA directs each agency to conduct an annual independent\nevaluation of its information security program and practices beginning in FY 2001.\nThe objective of the review was to determine whether the Department is effec-\ntively implementing key requirements of GISRA, including those areas pertaining\nto overall IT security and risk management.\n\n    To fulfill OIG review objectives, OIG developed two data collection surveys,\nwhich OIG used to obtain general information about the Department\xe2\x80\x99s information\nsecurity program. OIG\xe2\x80\x99s first survey determined the Department\xe2\x80\x99s universe of\nsystems. OIG sent a questionnaire to all identified system managers at the Depart-\nment asking general information security questions. The managers were also asked\nto update the Department\xe2\x80\x99s list of information systems to the best of their knowl-\nedge. The second survey highlighted five of the Department\xe2\x80\x99s major information\nsystems. OIG selected these systems based on their importance to the Department\nin the areas of human resources, inventory management, financial management,\npublic diplomacy, and classified information processing. OIG\xe2\x80\x99s questions pertained\nto management and operational controls. More specifically, the questions focused\non security control reviews, personnel security, contingency planning, data integrity,\nsecurity awareness, training, education, and incident response capabilities. The\nquestions in the surveys came directly from the National Institute of Standards and\nTechnology\xe2\x80\x99s Self-Assessment Guide for Information Technology Systems, which OIG\nedited to cover risk/vulnerability assessments, security controls, life cycle, certifi-\ncation and accreditation, information system security plans, personnel security,\ncontingency plans, data integrity, documentation, and incident response capability.\nOIG did not independently verify the information collected from its first survey,\nbut did selectively verify key information from responses to its second survey.\n\n    OIG discussed the contents of this report with Department officials on August\n28, 2002, and made revisions to the report where appropriate. Staff from OIG\xe2\x80\x99s\nInformation Technology Office performed this evaluation from February 2002\nthrough July 2002. Contributors to this report were Frank Deffer, James Davies,\nTim Fitzgerald, Robert Taylor, Chris Watson, Matthew Worner and Heather Rogers.\nComments or questions about the report can be directed to Mr. Deffer at\ndefferf@state.gov or at (703) 284-2715 or to Mr. Davies at daviesj@state.gov or at\n(703) 284-2673.\n\n\n\n\nOIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002                17 .\n\n                                       UNCLASSIFIED\n\x0c              UNCLASSIFIED\n\n\n\n\n18 .   OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002\n\n\n              UNCLASSIFIED\n\x0c                                                                           UNCLASSIFIED                                                                                   Appendix B\n                                       FY 2002 GISRA Evaluation-Questionnaire Statistics Summary\n                                                 Total Number             Systems with               Systems with             Systems with              Systems         Systems with\nDepartment Entity                                 of Systems                  Risk                  Security Level            Security Plans            Certified          Tested\n                                                   Reported               Assessments               Determinations                                        and             Security\n                                                   by Bureau                                                                                           Accredited         Controls\n                                                                        Number      Percent       Number       Percent        Number       Percent   Number   Percent   Number   Percent\n\nBureau of Administration                                28                 7          25             8           29              6          21         5       18         3        11\n\nBureau of Consular Affairs                              36                25          69            17           47             15          42         4        11       17       47\n\nBureau of Diplomatic Security                           46                46         100            46          100              0           0         0        0        46       100\n\nBureau of Diplomatic Security,                           4                 0           0             1           25              1          25         0        0         0        0\nOffice of Foreign Missions\n\nBureau of East Asian                                     1                 0           0             1          100              0           0         0        0         1       100\nand Pacific Affairs\n\nBureau of Educational                                   38                23          61            38          100             11          29         0        0         0        0\nand Cultural Affairs12\n\nBureau of European Affairs                               5                 0           0             0            0              0           0         0        0         0        0\n\nForeign Service Institute                                2                 1          50             2          100              1          50         0        0         0        0\n\nBureau of Human Resources                               20                 3          15            18           90              6          30         2       10        19       95\n\nBureau of Information                                   29                11          38            11           38              8          28         2        7         3       10\nResource Management\n\nOffice of Inspector General                              8                 5          63             6           75              0           0         0        0         6       75\n\nBureau of Intelligence                                   3                 2          67             3          100              2          67         1       33         1       33\nand Research\n\nBureau of International                                  1                 1         100             1          100              1          100        0        0         1       100\nNarcotics and Law\n Enforcement Affairs\n\nBureau of International                                  2                 2         100             2          100              0           0         0        0         0        0\nOrganizational Affairs\n\nOffice of the Legal Adviser                              5                 0           0             0            0              0           0         0        0         0        0\n\nOffice of Medical Services                               3                 2          67             3          100              0           0         0        0         2       67\n\nBureau of Nonproliferation                               2                 0           0             2          100              0           0         0        0         0        0\n\nBureau of Oceans and                                     5                 5         100             5          100              0           0         0        0         0        0\nInternational Environmental\n and Scientific Affairs\n\nOverseas Building Operations                            29                 1           3            29          100              0           0         0        0         0        0\n\nBureau of Population,                                    2                 0           0             0            0              0           0         0        0         0        0\nRefugees, and Migration\n\nBureau of Public Affairs                                 5                 1          20             1           20              0           0         0        0         0        0\n\nBureau of Resource                                      23                 5          22             2            9              2           9         2        9         5       22\nManagement\n\nOffice of the Secretary                                 61                61         100            61          100              0           0         0        0        60       98\n\nTotals                                                 358               201          56           257           72             53          15        16        4       164       46\n\n12\n     The Bureau of Educational and Cultural Affairs response also includes the Coordinator of International Information Programs office.\n\n\n                OIG Report No. IT/A-02-06, Information Security Program Evaluation, September 2002                                                                                      19 .\n\n                                                                           UNCLASSIFIED\n\x0cUNCLASSIFIED\n\n\n\n\nUNCLASSIFIED\n\x0c'